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Abstract. Strongly multiplicative linear secret sharing schemes (LSSS) 
have been a powerful tool for constructing secure multi-party computa- 
tion protocols. However, it remains open whether or not there exist ejfi- 
cient constructions of strongly multiplicative LSSS from general LSSS. In 
this paper, we propose the new concept of a 3-multiplicative LSSS, and 
establish its relationship with strongly multiplicative LSSS. More pre- 
cisely, we show that any 3-multiplicative LSSS is a strongly multiplicative 
LSSS, but the converse is not true; and that any strongly multiplicative 
LSSS can be efficiently converted into a 3-multiplicative LSSS. Further- 
more, we apply 3-multiplicative LSSS to the computation of unbounded 
fan-in multiplication, which reduces its round complexity to four (from 
five of the previous protocol based on strongly multiplicative LSSS). We 
also give two constructions of 3-multiplicative LSSS from Reed-MuUer 
codes and algebraic geometric codes. We believe that the construction 
and verification of 3-multiplicative LSSS are easier than those of strongly 
multiplicative LSSS. This presents a step forward in settling the open 
problem of efficient constructions of strongly multiplicative LSSS from 
general LSSS. 
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1 Introduction 

Secure multi-party computation (MPC) [16,9] is a cryptographic primitive that 
enables n players to jointly compute an agreed function of their private inputs in 
a secure way, guaranteeing the correctness of the outputs as well as the privacy of 
the players' inputs, even when some players are malicious. It has become a funda- 
mental tool in cryptography and distributed computation. Linear secret sharing 



schemes (LSSS) play an important role in building MPC protocols. Cramer et 
al. [6] developed a generic method of constructing MPC protocols from LSSS. 
Assuming that the function to be computed is represented as an arithmetic cir- 
cuit over a finite field, their protocol ensures that each player share his private 
input through an LSSS, and then evaluates the circuit gate by gate. The main 
idea of their protocol is to keep the intermediate results secretly shared among 
the players with the underlying LSSS. Due to the nature of linearity, secure 
additions (and linear operations) can be easily achieved. For instance, if player 
Pi holds the share xn for input xi and X2i for input X2, he can locally com- 
pute xii + X2i which is actually P^'s share for xi + X2- Unfortunately, the above 
homomorphic property does not hold for multiplication. In order to securely 
compute multiplications, Cramer et al. [6] introduced the concept of multiplica- 
tive LSSS, where the product xiX2 can be computed as a linear combination of 
the local products of shares, that is, X1X2 = X]r=i '^i^u^^i for some constants 
fli,! < i < n. Since xiiX2i can be locally computed by Pi, the product can 
then be securely computed through a linear combination. Furthermore, in order 
to resist against an active adversary, they defined strongly multiplicative LSSS, 
where X1X2 can be computed as a linear combination of the local products of 
shares by all players excluding any corrupted subset. Therefore, multiplicativity 
becomes an important property in constructing secure MPC protocols. For ex- 
ample, using strongly multiplicative LSSS, we can construct an error-free MPC 
protocol secure against an active adversary in the information-theoretic model 
[6]. Cramer et al. [7] also gave an efficient reconstruction algorithm for strongly 
multiplicative LSSS that recovers the secret even when the shares submitted by 
the corrupted players contain errors. This implicit "built-in" verifiability makes 
strongly multiplicative LSSS an attractive building block for MPC protocols. 

Due to their important role as the building blocks in MPC protocols, efficient 
constructions of multiplicative LSSS and strongly multiplicative LSSS have been 
studied by several authors in recent years. Cramer et al. [6] developed a generic 
method of constructing a multiphcative LSSS from any given LSSS with a double 
expansion of the shares. Nikov et al. [14] studied how to securely compute multi- 
plications in a dual LSSS, without blowing up the shares. For some specific access 
structures there exist very efficient multiplicative LSSS. Shamir's threshold se- 
cret sharing scheme is a well-known example of an ideal (strongly) multiplicative 
LSSS. Besides, self-dual codes give rise to ideal multiplicative LSSS [7], and Liu 
et al. [12] provided a further class of ideal multiplicative LSSS for graph access 
structures. We note that for strongly multiplicative LSSS, the known general 
construction is of exponential complexity. Kasper et al. [11] gave some efficient 
constructions for specific access structures (hierarchical threshold structures). 
It remains open whether there exists an efficient transformation from a general 
LSSS to a strongly multiplicative one. 

On the other hand, although in a multiplicative LSSS, multiplication can be 
converted into a linear combination of inputs from the players, each player has to 
reshare the product of his shares, that is, for 1 < i < n, needs to reshare the 
product xiiX2i to securely compute the linear combination X]r=i (^i^ii^^i- This 
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resharing process involves costly interactions among the players. For example, if 
the players are to securely compute multiple multiplications, Y[\=i simple 
sequential multiplication requires interaction of round complexity proportional 
to I. Using the technique developed by Bar-Ilan and Beaver [1], Cramer et al. 
[4] recently showed that the round complexity can be significantly reduced to a 
constant of five for unbounded fan-in multiplications. However, the method does 
not seem efficient when I is small. For example, considering 2:1X2 and xiX2X^^ 
extra rounds of interactions seem unavoidable for computing xiX2X^ if we apply 
the method of Cramer et al. [4]. 

1.1 Our Contribution 

In this paper, we propose the concept of 3-multiplicative LSSS. Roughly speak- 
ing, a 3-multiplicative LSSS is a generalization of multiplicative LSSS, where 
the product xiX2Xz is a linear combination of the local products of shares. As 
one would expect, a 3-multiplicative LSSS achieves better round complexity for 
the computation of Jl!:=i compared to a multiplicative LSSS, if ^ > 3. Indeed, 
it is easy to see that computing the product J^^^^ Xi requires two rounds of in- 
teraction for a 3-multiplicative LSSS but four rounds for a multiplicative LSSS. 
We also extend the concept of a 3-multiplicative LSSS to the more general A- 
multiplicative LSSS, for all integers A > 3, and show that A-multiplicative LSSS 
reduce the round complexity by a factor of from multiplicative LSSS. In 
particular, 3-multiplicative LSSS reduce the constant round complexity of com- 
puting the unbounded fan-in multiplication from five to four, thus improving a 
result of Cramer et al. [4]. 

More importantly, we show that 3-multiplicativc LSSS arc closely related 
to strongly multiplicative LSSS. The latter is known to be a powerful tool for 
constructing secure MFC protocols against active adversaries. More precisely, 
we show the following: 

(i) 3-multiplicative LSSS are also strongly multiplicative; 

(ii) there exists an efficient algorithm that transforms a strongly multiplicative 
LSSS into a 3-multiplicative LSSS; 

(iii) an example of a strongly multiplicative LSSS that is not 3-multiplicative. 

Our results contribute to the study of MFC in the following three aspects: 

— The 3-multiplicativc LSSS outperform strongly multiplicative LSSS with re- 
spect to round complexity in the construction of secure MFC protocols. 

— The 3-multiplicative LSSS are easier to construct than strongly multiplica- 
tive LSSS. First, the existence of an efficient transformation from a strongly 
multiplicative LSSS to a 3-multiplicative LSSS implies that efficiently con- 
structing 3-multiplicative LSSS is not a harder problem. Second, verifica- 
tion of a strongly multiplicative LSSS requires checking the linear combi- 
nations for all possibilities of adversary sets, while the verification of a 3- 
multiplicative LSSS requires only one checking. We give two constructions of 
LSSS based on Reed-MuUer codes and algebraic geometric codes that can be 
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easily verified for 3-multiplicativity, but it does not seem easy to give direct 
proofs of their strong multiplicativity. 
— This work provides two possible directions toward solving the open problem 
of determining the existence of efhcient constructions for strongly multiplica- 
tive LSSS. On the negative side, if we can prove that in the information- 
theoretic model and with polynomial size message exchanged, computing 
X1X2X3 inevitably needs more rounds of interactions than computing xiX2, 
then we can give a negative answer to this open problem. On the positive 
side, if we can find an efficient construction for 3-multiplicative LSSS, which 
also results in strongly multiplicative LSSS, then we will have an affirmative 
answer to this open problem. 

1.2 Organization 

Section 2 gives notations, definition of multiplicative LSSS, and general construc- 
tions for strongly multiplicative LSSS. Section 3 defines 3-multiplicative LSSS. 
Section 4 shows the relationship between 3-multiplicativc LSSS and strongly mul- 
tiplicative LSSS. Section 5 gives two constructions of 3-multiplicativc LSSS from 
error-correcting codes, and Section 6 discusses the implications of 3-multiplicative 
LSSS in MPC. Section 7 concludes the paper. 

2 Preliminaries 

Throughout this paper, let P — {Pi, . . . ,P„} denote the set of n players and 
let /C be a finite field. In a secret sharing scheme, the collection of all subsets of 
players that are authorized to recover the secret is called its access structure, and 
is denoted AS. An access structure possesses the monotone ascending property: 
if A' e AS, then for all A C P with AD A', we also have A e AS. Similarly, the 
collection of subsets of players that are possibly corrupted is called the adversary 
structure, and is denoted A. An adversary structure possesses the monotone 
descending property: if A' e A, then for all ^ C P with ^ C A', we also have 
A G A. Owing to these monotone properties, it is often sufficient to consider the 
minimum access structure ASmin and the maximum adversary structure Amax 
defined as follows: 

AS^in ^{AeAS\yB<ZP, we have P C ^ ^ P ^ AS), 
Amax ^ {Ae A\'iB Q P, we have B D A^ B A}. 

In this paper, we consider the complete situation, that is, A = 2^ —AS. Moreover, 
an adversary structure A is called (respectively, Q^) if any two (respectively, 
three) sets in A cannot cover the entire player set P. For simplicity, when an 
adversary structure A is (respectively, Q^) we also say the corresponding 
access structure AS = 2^ — Ais Q"^ (respectively, Q^). 
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2.1 Linear Secret Sharing Schemes and Monotone Span Programs 

Suppose S is the secret-domain, R is the set of random inputs, and Si is the 
share-domain of Pi, where 1 < i < n. Let S and R denote random variables 
taking values in S and R, respectively. Then 77 : S* x i? ^ 5i x • • • x 5„ is called 
a secret sharing scheme (SSS) with respect to the access structure AS, if the 
following two conditions are satisfied: 

1. for all A G AS, H{S \ 77(S, R)U) = 0; 

2. for all B ^ AS, 77(S | 77(S, R)\b) = 77(S), 

where H{-) is the entropy function. Furthermore, the secret sharing scheme 77 is 
called linear a we have S = K., R = K}^^ , and Si = IC^^ for some positive integers 
I and di, \ < i < n, and the reconstruction of the secret can be performed by 
taking a linear combination of shares from the authorized players. The quantity 
d = di is called the size of the LSSS. 

Karchmer and Wigdcrson [10] introduced monotone span programs (MSP) 
as a linear model for computing monotone Boolean functions. We denote an 
MSP by M{lC,M,il},v), where M is a. d x I matrix over /C, : {1, . . . , d} ^ 
{Pi, . . . ,Pn} is a surjective labeling map, and v E K} \s a. nonzero vector. We 
call d the size of the MSP and v the target vector. A monotone Boolean function 
/ : {0, 1}" {0, 1} satisfies f{5') > f{d) for any S' > d, where S = (Si, Sn), 
S' ^ {S[,...,S'J G {0,1}", and d' > S means S'^ > S, for 1 < i < n. We 
say that an MSP A4{IC, M,'ip,v) computes the monotone Boolean function f if 
V G span{MA} if and only if /{Sa) = 1, where A is a set of players. Ma denotes 
the matrix constricted to the rows labeled by players in A, span{MA} denotes 
the linear space spanned by the row vectors of Ma, and Sa is the characteristic 
vector of A. 

Theorem 1 (Beimel [2]). Suppose AS is an access structure over P and /as 
is the characteristic function of AS , that is, /as(^) = 1 o-nd only if S = 6a 
for some A G AS. Then there exists an LSSS of size d that realizes AS if and 
only if there exists an MSP of size d that computes fAS ■ 

Since an MSP computes the same Boolean function under linear transforma- 
tions, we can always assume that the target vector is Ci = (1,0, .. . ,0). From 
an MSP A4(/C, M, '0, Ci) that computes fASi we can derive an LSSS realizing 
^iS* as follows: to share a secret s G /C, the dealer randomly selects p G /C'~^, 
computes M [s, pY and sends M p. (s, pY to Pi as his share, where 1 < i < n and 
T denotes the transpose. The following property of MSP is useful in the proofs 
of our results. 

Proposition 1 (Karchmer and Wigderson [10]). Let M{K,,M,tl>,ex) he 
an MSP that computes a monotone Boolean function f . Then for all A ^ P, 
ei ^ span{MA} if and only if there exists p G K}^^ such that Ma{^,pY = ■ 
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2.2 Multiplicative Linear Secret Sharing Schemes 

From Theorem 1, an LSSS can be identified with its corresponding MSP in the 
following way. Let M{IC, M, ip, Ci) be an LSSS realizing the access structure AS. 
Given two vectors x = (xi, . . . , Xd), y = (j/i, . . . , yd) G IC^, we define a; o y to 
be the vector containing all entries of the form Xi ■ yj with ip(i) = tpij)- More 
precisely, let 

X (^11 7 ■ ■ ■ , Xidi 7 ■ • ■ : ^nl ; ■ ■ ■ ; -^ndn ) 7 

y = (yii, ■ • ■ • ■ • ,2/ni, • ■ • ,ynd„), 

where X]"=i — ^^'^ {xn, . . . , Xid^), (j/a, • ■ • , yidi) are the entries distributed 
to Pi according to ip. Then a; o y is the vector composed of the '^i^ entries 

^ijVik-: where 1 < j,k < di^l < i < n. For consistency, we write the entries of 
a? o y in some fixed order. We also define {x o yY = x'^ o y"^. 

Definition 1 (Multiplicativity). Let A4{IC, M,tlj,ei) be an LSSS realizing 
the access structure AS over P. Then A4 is called multiplicative if there exists a 
recombination vector z G /C^i=i , such that for all s,s' E JC and p, p' G K}~^ , 
we have 

ss' = z{M{s,py oM{s',p'y). 

Moreover, A4 is strongly multiplicative if for all A E A = 2^ — AS, is 
multiplicative, where A4-^ denotes the MSP Ai constricted to the subset A = 
P-A. 

Proposition 2 (Cramer et al. [6]). Let AS be an access structure over P. 
Then there exists a multiplicative ( respectively, strongly multiplicative ) LSSS re- 
alizing AS if and only if AS is (respectively, Q^). 

2.3 General Constructions of Strongly Multiplicative LSSS 

For all access structure AS, Cramer et al. [6] gave an efficient construction 
to build a multiplicative LSSS from a general LSSS realizing the same AS. It 
remains open if we can efficiently construct a strongly multiplicative LSSS from 
an LSSS. However, there are general constructions with exponential complexity, 
as described below. 

Since Shamir's threshold secret sharing scheme is strongly multiplicative for 
all threshold access structure, a proper composition of Shamir's threshold 
secret sharing schemes results in a general construction for strongly multiplica- 
tive LSSS [6]. Here, we give another general construction based on multiplicative 
LSSS. 

Let AS be any Q'^ access structure and M{JC, M, ip, ei) be an LSSS realizing 
AS. For Ae A^2^ ~ AS, it is easy to see that M-^ realizes the restricted 
access structure AS-j = {B (- A \ B E AS]. The access structure AS-^ is 

over A because AS is over A\J A. Thus, we can transform M.-^ into a 
multiplicative LSSS following the general construction of Cramer et al. [6] to 
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obtain a strongly multiplicative LSSS realizing AS. The example in Section 4.3 
gives an illustration of this method. 

We note that both constructions above give LSSS of exponential sizes, and 
hence are not efficient in general. 

3 3-Multiplicative and A-Multiplicative LSSS 

In this section, we give an equivalent definition for (strongly) multiplicative 
LSSS. We then define 3-multiplicative LSSS and give a necessary and sufficient 
condition for its existence. The notion of 3-multiplicativity is also extended to A- 
multiplicativity for all integer A > 1. Finally, we present a generic (but inefficient) 
construction of A-multiplicative LSSS. 

Under the same notations used in Section 2.2, it is straightforward to see 
that we have an induced labeling map ip' : {1, . . . , J27=i '^i} ~* {-^i' ■ ■ ■ ,Pn} on 
the entries oi xoy, distributing the entry Xijyik to Pi, since both Xij and yik are 
labeled by under ip. For an MSP M{JC, M, ^, d), denote M = (Mi, . . . , Mi), 
where Mi G /C* is the i-th column vector of M, 1 < i < I. We construct a new 
matrix as follows: 

= {Ml o Ml, . . . , Ml o Mi,M2 o A/i, . . . , M2 o M,, . . . , M, o Mi, . . . , Mi o Mi). 

For consistency, we also denote M^ as M o M. Obviously, A/o is a matrix over 
K. with X]"=i '^i rows and P columns. For any two vectors G /C', it is easy 
to verify that 

(Mtt^) o {Mv^) = M^{u ® t>)^, 

where u®v denotes the tensor product with its entries written in a proper order. 
Define the induced labeling map ij}' on the rows of M^^. We have the following 
proposition. 

Proposition 3. Let M{1C,M,ip,ei) be an LSSS realizing the access structure 
AS, and let Mo he with the labeling map ip' . Then Ai is multiplicative if and 
only if ei G span{M^}, where ei = (1,0, .. . ,0). Moreover, A4 is strongly mul- 
tiplicative if and only if ei G span{(M^)-^} for all A E A = 2^ — AS . 

Proof. By Definition 1, Ai is multiplicative if and only if ss' = z{M{s, p)'^ o 
M{s', p')^) for aU s,s' elC and p, p' G /C'-^. Obviously, 

M{s, p)^ o M{s', pr = Mo((s, p) ® (s', p'))" = M^iss', p"y, (1) 

where {ss' ,p") = {s,p) {s',p'). On the other hand, ss' = ei{ss' , p")'^ . Thus 
M. is multiplicative if and only if 

{ei - zM^){ss' , p")^ = 0. (2) 

Because of the arbitrariness of s,s',p and p', equality (2) holds if and only if 
ei — 2M0 = 0. Thus ei G span{M,y} . The latter part of the proposition can be 
proved similarly. □ 
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Now we are ready to give the definition of 3-multiplicative LSSS. We extend 
the diamond product "o" and define x o y o z to be the vector containing aU 
entries of the form XiUjZk with = V'(j) = i-'ik), where the entries of xoyoz 
are written in some fixed order. 

Definition 2 (3-Multiplicativity). Let X(/C, M, ■0, ei) he an LSSS realiz- 
ing the access structure AS. Then A4 is called 3-multiphcative if there ex- 
ists a recombination vector z G /C^i=i'*» such that for all Si, 52,^3 £ /C and 
Pi,P2, P3 G /C'^^, we have 

S1S2S3 = z{M{si,piY o M {s2,P2V o M (S3, p^Y). 

We can derive an equivalent definition for 3-multipficative LSSS, similar to 
Proposition 3: A4 is 3-multiplicative if and only if ei e span{{M o M o M)} . The 
following proposition gives a necessary and sufficient condition for the existence 
of 3-multiplicative LSSS. 

Proposition 4. For all access structures AS , there exists a 5 -multiplicative 
LSSS realizing AS if and only if AS is . 

Proof. Suppose Ai{IC, M,ip,ei) is a 3-multiplicativc LSSS realizing AS, and 
suppose to the contrary, that AS is not Q^, so there exist Ai,A2,A3 G A = 
2^ - AS such that AiU A2U A3 = P. By Proposition 1, there exists p., G /C'"^ 
such that MA,{l,Piy = 0^ for 1 < i < 3. Since Ai U A2 U A3 = P, we have 
M{l,piy oM{l,p2y oM{l,p3y = O^, which contradicts Definition 2. 

On the other hand, a general construction for building a 3-multiplicative 
LSSS from a strongly multiplicative LSSS is given in the next section, thus 
sufficiency is guaranteed by Proposition 2. □ 

A trivial example of 3-multiplicative LSSS is Shamir's threshold secret shar- 
ing scheme that realizes any threshold access structure. Using an identical 
argument for the case of strongly multiplicative LSSS, we have a general con- 
struction for 3-multiplicative LSSS based on Shamir's threshold secret sharing 
schemes, with exponential complexity. 

For any A vectors Xi = {xn, . . . ,Xid) G /C*, 1 < « < A, we define o^^^a;,; to 
be the J27=i ^i'-dimensional vector which contains entries of the form Y[i=i ^iji 
with ip{ji) = • ■ • = V'(ja)- 

Definition 3 (A-Multiplicativity). Let Ai{IC, M,tl),ei) be an LSSS realizing 
the access structure AS , and let X > 1 be an integer. Then M is A-multiplicative 
if there exists a recombination vector z such that for all si, . . . , s\ G JC and 
Pi , • ■ • , Pa G A^'^ ^ , lue have 

A 

Y[s,^z{otlM{s^,p^y)■ 

i=\ 

Moreover, M is strongly A-multiplicative if for all A ^ AS , the constricted LSSS 
is X-multiplicative. 
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Again, we can define a new matrix by taking the diamond product of A 
copies of M . This gives an equivalence to (strongly) A-multiplicative LSSS. Also, 
since Shamir's threshold secret sharing scheme is trivially A-multiplicative and 
strongly A-multiplicative, a proper composition of Shamir's threshold secret shar- 
ing schemes results in a general construction for both A-multiplicative LSSS and 
strongly A-multiplicativc LSSS. Let be a straightforward extension of and 
Q^, that is, an access structure AS is if the player set P cannot be covered 
by A sets in ^ = 2^ — AS. The following corollary is easy to prove. 

Corollary 1. Let AS he an access structure over P. Then there exists a A- 
multiplicative (respectively, strongly X-multiplicative) LSSS idealizing AS if and 
only if AS is (respectively, Q^^^). 

Since a A-multiplicative LSSS transforms the products of A entries into a 
linear combination of the local products of shares, it can be used to simplify the 
secure computation of sequential multiplications. In particular, when compared 
to using only the multiplicative property (which corresponds to the case when 
A = 2), a A-multiplicative LSSS can lead to reduced round complexity by a factor 
of in certain cases. 

We also point out that is not a necessary condition for secure compu- 
tation. Instead, the necessary condition is for the passive adversary model, 
or for the active adversary model [6]. The condition Q'^ is just a neces- 
sary condition for the existence of A-multiplicative LSSS which can be used to 
simplify computation. In practice, many threshold adversary structures satisfy 
the condition for some appropriate integer A, and the widely used Shamir's 
threshold secret sharing scheme is already A-multiplicative. By using this A- 
multiplicativity, we can get more efficient MPC protocols. However, since the 
special case A = 3 shows a close relationship with strongly multiplicative LSSS, 
a fundamental tool in MPC, this paper focuses on 3-multiplicativc LSSS. 

4 Strong Multiplicativity and 3-Multiplicativity 

In this section, we show that strong multiplicativity and 3-multiplicativity are 
closely related. On the one hand, given a strongly multiplicative LSSS, there is an 
efficient transformation that converts it to a 3-multiplicativc LSSS. On the other 
hand, we show that any 3- multiplicative LSSS is a strongly multiplicative LSSS, 
but the converse is not true. It should be noted that strong multiplicativity, 
as defined, has a combinatorial nature. The definition of 3-multiplicativity is 
essentially algebraic, which is typically easier to verify. 

4.1 From Strong Multiplicativity to 3-Multiplicativity 

We show a general method to efficiently build a 3-multiplicativc LSSS from a 
strongly multiplicative LSSS, for all access structures. As an extension, the 
proposed method can also be used to efficiently build a (A + l)-multiplicative 
LSSS from a strongly A-multiplicative LSSS. 
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Theorem 2. Let AS be a Q'^ access structure and Ai{IC, Af , Tp, ei) be a strongly 
multiplicative LSSS realizing AS. Suppose that M has size d and \%jj^^{Pi)\ = di, 
for 1 < i < n. Then there exists a Z-multiplicative LSSS for AS of size 0{d^). 

Proof. We give a constructive proof. Let be the matrix defined in Section 3, 
and ijj' be the induced labeling map on the rows of M^. Then we have an LSSS 
Aio{IC, Mo, tp\ei) that reahzes an access structure AS^- Because M is strongly 
multiplicative, by Proposition 3 we have ei G span{{Mo)^} for all A ^ AS. 
Therefore A S ASo and it follows that AS* C ASo, where AS* denotes the dual 
access structure of AS, defined by AS* = {ACP\P-A^ AS}. 

The equality (1) in the proof of Proposition 3 shows that the diamond product 
of two share vectors equals sharing the product of the two secrets by the MSP 
M^{IC,M^,tp',ei), that is, 

(M(si,p'i)")o(M(s2,P2)") - Afo(siS2,p)", for some p[,p'2,pe K}-\ 

Thus, using a method similar to Nikov et al. [14], we can get the product (siS2)-S3 
by sharing S3 through the dual MSP of M^, denoted by {Mo)*. Furthermore, 
since (Mo)* realizes the dual access structure (AS^)* and {ASo)* C (AS*)* = 
AS, we can build a 3-multiplicative LSSS by the union of A4 and {Aio)* , which 
realizes the access structure ASU{ASo)* = AS. Now following the same method 
of Cramer et al. and Fehr [6, 8], we prove the required result via the construction 
below. 

Compute the column vector Vq as a solution to the equation {M^yv = e^^ 
for V, and compute Vi, . . . ,Vk as a basis of the solution space to [M^Yv = 0'^. 
Note that {M^Yv = e^^ is solvable because ei G span{{Mo)-^} for all A ^ AS, 
while {MoY^ = 0"^ may only have the trivial solution v = Q and k = Q. Let 



M' 



( mil ■■■mil \ 



mdi ■ ■ ■ rudi 

\ Vo Vl ■ ■ ■ VkJ 



where 



mil • • • mil 



M and the blanks in Al' denote zeros. Define a labeling 

\mdi ■■ ■ mdi ^ 

map ij)" on the rows of M' which labels the first d rows of M' according to 
and the other X]r=i '^f rows according to ip' . 

As mentioned above, M' [IC, M' ,ei) obviously realizes the access struc- 
ture AS. We now verify its 3-multiplicativity. 

Let = {vi),vi, . . . ,Vk), a matrix over K, with J^^^i rows and k + 1 
columns. For e /C and pi = [p'i,p'[) E K}^^ x Kl' , 1 < i < 3, denote 
M'{s„p,Y = {u^,w,Y, where m,^ = M{s^,p',y and w[ = N{s„p'IY- We 
have 

<o < = (M(si, p'lD o (A/(s2, P^D = Mo(siS2,pr, 
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where (siS2,p) = ® (52,^2)- Then, 



(siS2,p) 



S1S2S3. 







\0 



( 


'1 






ON 


















It is easy to see that (tti 0142) • w^^ is a hnear combination of the entries from 
(ui o U2) o ws, and so is a linear combination of the entries from M'{si, piY o 

M'(s2,P2)"oM'(s3,P3r- 

Hence M' is a 3-multipHcative LSSS for AS. Obviously, the size of TW' is 
0(d2), since d + J27=i df < (P + d. U 

If we replace the matrix above by the diamond product of A copies of 
M, using an identical argument, the construction from Theorem 2 gives rise to 
a (A + l)-multiplicative LSSS from a strongly A-multiplicativc LSSS. 

Corollary 2. Let AS he a Q^^^ access structure and 7W(/C, Af, -0, ei) he a 
strongly X-multiplicative LSSS realizing AS. Suppose the size of Ai is d and 
\il)~'^(Pi)\ = di, for 1 < i < n. Then there exists a (A + 1) -multiplicative LSSS 
for AS of size 0{d^). 

4.2 Prom 3-Multiplicativity to Strong Multiplicativity 

Theorem 3. Any i- multiplicative LSSS is strongly multiplicative. 

Proof. Let 7W(/C, M, -0, ei) be a 3-multiplicative LSSS realizing the access struc- 
ture AS over P. For e\\ A ^ A = 2^ — AS, by Proposition 1, we can choose a 
fixed vector p" K}~^ such that M^(l, p"Y = 0'^. There exists a recombination 
vector z £ /C^>=i such that for all s, s' E K. and p, p' G /C'~^, we have 

ss' = z{M{s,pY oM{s',p'Y oM{l,p"Y). 

Since M^(l,p")'^ = 0"^, and M^{1, p"Y is a constant vector for fixed p", the 
vector z' G IC^^i^^ * that satisfies 

z{M{s, pY o Af (s', p')^ o A/(1, p")^) = ^'(A/^(.s, pY <> M^{s' , p'Y) 

can be easily determined. Thus ss' — z' {AI-j{s , pY * p')^)- Hence, M is 
strongly multiplicative. □ 
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Although 3-multiplicative LSSS is a subclass of strongly multiplicative LSSS, 
one of the advantages of 3-multiplicativity is that its verification admits a simpler 
process. For 3-multiplicativity, we need only to check that ei g span{{M oM o 
M)}, while strong multiplicativity requires the verification of ei G span{{M o 
M)^} for all A<^AS. 

Using a similar argument, the following results for (A + l)-multiplicativity 
can be proved: 

(i) A (A + l)-multiplicative LSSS is a strongly A-multiplicative LSSS. 

(ii) A A-multiplicative LSSS is a A'-multiplicative LSSS, where 1 < A' < A. 



4.3 An Example of a Strongly Multiplicative LSSS that is Not 
3-Multiplicative 

We give an example of a strongly multiplicative LSSS that is not 3-multiplicative. 
It follows that 3-multiplicative LSSS are strictly contained in the class of strongly 
multiplicative LSSS. The construction process is as follows. Start with an LSSS 
that realizes a Q'^ access structure but is not strongly multiplicative. We then 
apply the general construction given in Section 2.3 to convert it into a strongly 
multiplicative LSSS. The resulting LSSS is however not 3-multiplicativc. 

Let P = {Pi, P2, ^3, -P4, ^e} be the set of players. Consider the access 
structure AS over P defined by 

^5™„ = {(1, 2), (3, 4), (5, 6), (1, 5), (1, 6), (2, 6), (2, 5), (3, 6), (4, 5)}, 

where we use subscript to denote the corresponding player. For example, (1,2) 
denotes the subset {Pi, P2}. It is easy to verify that the corresponding adversary 
structure is 

A,,a. = {(1,3), (1,4), (2, 3), (2, 4), (3, 5), (4, 6)}, 

and that AS is a access structure. 

Let K. = ¥2- Define the matrix M over F2 with the labeling map ifj such that 



1 1 0\ /O 1 

Mp,= I 1 , Mp, = 1 I , Mp, = 
00001/ VOOOOl 



11000 
00 1 



,01000\ „ _/11100\ /OllOO 
~ I 1 j ' ^^^^ - 1^1 1 j ' - 1^1 1 

It can be verified that the LSSS A^(F2, Af, -0, ei) realizes the access structure 
.45. Moreover, for all ^ € ^ - {(1, 3), (1, 4)}, the constricted LSSS M-^ is 
multiplicative. Thus in order to get a strongly multiphcative LSSS, we just need 
to expand with multiplicativity when constricted to both {P2, P4, P5, Pg} and 

{P2,P3,P5,P6}. 

Firstly, consider the LSSS M constricted to P' = {P2, P4, P5, Pe}. Obviously, 
M.pi realizes the access structure — {(5, 6), (2, 6), (2, 5), (4, 5)}, which is 
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over P' . By the method of Cramer et al. [6], we can transform Mpi hito the 
multipHcative LSSS A4p, (F2, M', V'', ei) defined as follows: 



M'p^^ 



fo 





1 










\ 











1 





















1 
















1 1 


1 












1 1 
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000 


1/ 


/I 


1 


1 
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1 








1 









1 










1 


1 












1 


0/ 



/OlOOO 

1 

V 

/O 1 1 

1 1 



\ 

111 

1 0/ 



1 



10 

ly 



where the blanks in the matrices denote zeros. 
For consistency, we define 



M'p^ = {Mp, 03x4), 
M'p^ = (Mp3 02x4), 

where Omxn denotes the mx n matrix of all zeros. It can be verified that for the 
subset P" = {P2, -F3, PstPq}, the constricted LSSS M'p„ is indeed multiphcative. 
Therefore, Ai'{¥2, M', tp' , ei) is a strongly multiplicative LSSS realizing the ac- 
cess structure AS. Furthermore, it can be verified that M' is not 3-multiplicative 
(the verification involves checking a 443 x 729 matrix using Matlab). 

The scheme Ai{¥2, M,tp,Vi) given above is the first example of an LSSS 
which realizes a access structure but is not strongly multiplicative. 



5 Constructions for 3-multiplicative LSSS 

It is tempting to find efficient constructions for 3-multiplicative LSSS. In general, 
it is a hard problem to construct LSSS with polynomial size for any specified 
access structure, and it seems to be an even harder problem to construct polyno- 
mial size 3-multiplicative LSSS with general access structures. We mention 
two constructions for 3-multiplicative LSSS. These constructions are generally 
inefficient, which can result in schemes with exponential sizes. The two construc- 
tions are: 

1. The Cramer-Damgard-Maurer construction based on Shamir's threshold se- 
cret sharing scheme [6]. 

2. The construction given in Subsection 4.1 based on strongly multiplicative 
LSSS. 

There exist, however, some efficient LSSS with specific access structures that 
are multiplicative or 3-multiplicative. For instance, Shamir's t out of n threshold 
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secret sharing schemes are multiplicative if n > 2t + 1, and 3-multiplicative if 
n > 3t + 1. 

On the other hand, secret sharing schemes from error-correcting codes give 
good multiplicative properties. It is well known that a secret sharing scheme 
from a linear error-correcting code is an LSSS. We know that such an LSSS is 
multiplicative provided the underlying code is a self dual code [7] . The LSSS from 
a Reed-Solomon code is A-multiplicative if the corresponding access structure is 

. In this section, we show the multiplicativity of two other classes of secret 
sharing schemes from error-correcting codes: 

(i) schemes from Reed-MuUer codes are A-multiplicative LSSS; and 

(ii) schemes from algebraic geometric codes are A-multiplicative ramp LSSS. 

5.1 A Construction from Reed-Muller Codes 

Let i>o, f 1, . . . , f 2'"-i be all the points in the space Fj™. The binary Reed-Muller 
code 7^(r, m) is defined as follows: 

7^(r, m) - {(/K), . . . , /(^a™-!)) | / £ F2[a-i, . . . , a^„J, dcg / < r}. 

Take /(i^o) as the secret, and f{vi) as the share distributed to player Pi, 
1 < i < 2™ — 1. Then TZ{r,m) gives rise to an LSSS for the set of players 
{Pi, . . . , Pn}, with the secret-domain being F2, where n = 2™ — 1. For any three 
codewords 

Ci = (sj,Sji, . . . , Sj„) = ifi{vo), fi{vi), . . . ,/j(t)„)) e TZ{r,m), 1 < i < 3, 
it is easy to see that 

Ci O C2 O C3 = (S1S2S3, S11S21S3I, • ■ • , Si„S2„S3„) 

= iaivo), givi), . . . , givn)) e 7^(3r, m), 

where g = /1/2/3 £ F2[a;i, . . . , Xm] and deg 5 < 3r. From basic results on Reed- 
Muller codes [15], we know that TZ{3r, m) has dual code 7^(m — 3r — 1, m) when 
m > 37", and the dual code TZ(rn — 3r — l,m) trivially contains the codeword 
(1,1,..., 1). It follows that S1S2S3 = X]j=i ^ij^^j^sj' which shows that the LSSS 
from TZ{r, m) is 3-multiplicativc when m > 3r. Certainly, this LSSS is strongly 
multiplicative. In general, we have the following result: 

Theorem 4. The LSSS constructed above from TZ{r, m) is \- multiplicative, pro- 
vided m > Xr. 

5.2 A Construction from Algebraic Geometric Codes 

Chen and Cramer [3] constructed secret sharing schemes from algebraic geo- 
metric (AG) codes. These schemes are quasi-threshold (or ramp) schemes, which 
means that any t out of n players can recover the secret, and any fewer than 
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t' players have no information about the secret, where t' < t < n. In this sec- 
tion, we show that ramp schemes from some algebraic geometric codes [3] are 
A- mult iplicat i ve . 

Let X be an absolutely irreducible, projective, and nonsingular curve defined 
over Fq with genus g, and let D ~ {vq, wi, . . . , «„} be the set of Fg-rational points 
on X- Let G be an F^-rational divisor with degree m satisfying supp{G) n -D = 
and 2g — 2<m<n+\. Let F^ denote the algebraic closure of F^, let Fq(x) 
denote the function field of the curve x, and let fi{x) denote all the differentials 
on X- Define the linear spaces: 

£(G) = {/eF,(x) I (/) + G>0}, 

n{G) = {ujc, n{x) I [uj) > G}. 

Then the functional AG code Cc{D,G) and residual AG code Cn{D,G) are 
respectively defined as follows: 

Cc(D, G) = {(/(z;o), /(i^i), . . . , f{vn)) \ f e C{G)] C ¥^'+\ 

Cn{D, G) = {(i?es,,(?7), i?es,, (r;), . . . , Res,^{r])) | 77 G /2(G - D)] C F,"+\ 

where ReSy^ (ry) denotes the residue of rj at Vi. 

As above, Cn{D,G) induces an LSSS for the set of players {Pi,...,P„}, 
where for every codeword {f{vo),f{vi),...,f{vn)) e Gn{D,G) = Cc{D,D - 
G + (77)), /(vo) is the secret and f{vi) is PiS share, 1 < i < n. For any A 
codewords 

— (-^i 5 -^il 5 ■ ■ ■ 1 -^m ) 

= (/.K), . . . , h{vn)) eCc{D,D-G+ (r;)), 1 < z < A, 

it is easy to see that 

(A A \ 

n n ■■■'11 e ^^(^' KD-G+ (77))). 
1=1 i=l i=l / 

If 25 - 2 < deg(A(i:» - G + (r/))) < n, then Cc{D,X{D - G + {rj))) has 
the dual code Cn{D, \{D - G + (r/))) = Cc{D, AG - (A - 1)(L> + {if))). When 
deg(AG - (A - 1){D + (77))) > 2c/, Cn{D,\{D - G + (??))) has a codeword 
with a nonzero first coordinate, implying Y\a=i — % IliLi ^ij foi' some 

constants aj e Fg. Thus, the LSSS induced by the AG code Gn{D,G) is A- 
multiplicative. It is easy to see that if deg G = m > (-^-^K"^!) ^ 2g then we 
have 2g-2< deg{X{D -G+ (77))) < n and deg(AG - (A -!)(£> + (7;))) > 2g. 
Therefore, we have the following theorem. 

Theorem 5. Let x be an absolutely irreducible, projective, and nonsingular 
curve defined over ¥g with genus g, let D = {vq,vi, . . . be the set of ¥q- 
rational points on x- Let G be an ¥q-rational divisor with degree m satisfying 
supp{G) n I? = and 2g — 2 < m < n + 1. Then the LSSS induced by the AG 
code Cn{D, G) is X- multiplicative, provided m > — — — — + 2g. 
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6 Implications of the Multiplicativity of LSSS 

The property of 3-multiplicativity implies strong multiplicativity, and so is suf- 
ficient for building MPC protocols against active adversaries. The conditions for 
3-multiplicativity arc easy to verify, while verification for strong multiplicativ- 
ity involves checking an exponential number of equations (each subset in the 
adversary structure corresponds to an equation) . 

With 3-multiplicative LSSS, or more generally A- multiplicative LSSS, we can 
simplify local computation for each player and reduce the round complexity in 
MPC protocols. For example, using the technique of Bar-Ilan and Beaver [1], 
we can compute Y[[=i -^i' G IFg, in a constant number of rounds, independent 
of I. For simplicity, we consider passive adversaries in the information-theoretic 
model. Suppose for 1 < i < the shares of Xi, denoted by [xi], have already 
been distributed among the players. To compute 11^=1 &^g^ we follow the 

process of Cramer et al. [4]: 

(1) Generate [6o F;], [fei F^*], ...,[&, Gi^ F;] and %\ [b^\ [b^^], 
where hi £r ¥* means that bi is a random element in F^*. 

(2) For 1 < i < I, each player computes [bi-iXib~^] from [b^^] and [a;,]. 

(3) Recover di = bi^iXib^ from \bi-iXib'^ ] for 1 < i < and compute d = 

(4) Compute [dbQ ^bi] from [b^ [bi] and d. 

It is easy to see that db^^bi = Y[\=i ^i- Using a strongly multiplicative LSSS, 
the above process takes five rounds of interactions as two rounds arc required in 
Step (2). However, if we use a 3-multiplicative LSSS instead, then only one round 
is needed for Step (2). Thus, 3-multiplicative LSSS reduce the round complexity 
of computing unbounded fan-in multiplication from five to four. This in turn 
simplifies the computation of many problems, such as polynomial evaluation 
and solving linear systems of equations. 

In general, the relationship between A-multiplicative LSSS and strongly A- 
multiplicative LSSS can be described as follows: 

• • • C SMLSSSx+i C MLSSSx+i C SMLSSSx C MLSSSx C • • • , 

where MLSSS\ (respectively, SMLSSSx) denotes the class of A-multiplicative 
(respectively, strongly A-multiplicative) LSSS. It is easy to see that SMLSSSx C 
MLSSSx because they exist under the conditions Q^~^^ and Q^, respectively. 
Since SMLSSSx and MLSSSx+i both exist under the same necessary and 
sufficient condition of Q^^^ , it is not straightforward to see whether MLSSSx+i 
is strictly contained in SMLSSSx- For A = 2, we already know that MLSSS3 C 
SMLSSS2 (Section 4.3). It would be interesting to find out if this is also true 
for A > 2. We have also given an efficient transformation from SMLSSSx to 
MLSSSx+i- It remains open whether an efficient transformation from MLSSSx 
to SMLSSSx exists when the access structure is Q"**^^. When A = 2, this is a 
well-known open problem [6]. 
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7 Conclusions 



In this paper, we propose the new concept of 3-multiphcative LSSS, which form a 
subclass of strongly multiplicative LSSS. The 3-multiplicativc LSSS are easier to 
construct compared to strongly multiplicative LSSS. They can also simplify the 
computation and reduce the round complexity in secure multiparty computation 
protocols. We believe that 3-multiplicative LSSS are a more appropriate primi- 
tive as building blocks for secure multiparty computations, and deserve further 
investigation. We stress that finding efficient constructions of 3-multiplicative 
LSSS for general access structures remains an important open problem. 
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